Maybe something based on Diffie Hellman (which RSP uses)? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Cridland Sent: Tuesday, August 19, 2008 7:48 PM To: XMPP Security Subject: Re: [Security] TLS Certificates Verification
On Tue Aug 19 18:33:53 2008, Eric Rescorla wrote: > Actually, this is a lot more complicated than it has to be. TLS has > two > features that make this trivial to do and that don't rely on > certificates > > 1. A PAKE mode (SRP)[0] I see how this works, but you're asking for quite a bit of less than usual TLS magic involved. Could we use a simple, channel-binding, shared-secret based SASL mechanism? I've the thought in my head that we could make this essentially the same as Bluetooth keying, using the channel binding to "learn" the certificates. That ought to be using essentially out-of-the-box bits of software, whereas I'm not so sure that SRP quite ranks there yet, and may well not for a long while. Dave. -- Dave Cridland - mailto:[EMAIL PROTECTED] - xmpp:[EMAIL PROTECTED] - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/ - http://dave.cridland.net/ Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
